Top Banner
Copyright© Dorling Kindersley India Pvt Ltd Introduction 1 CAP361: SECURITY AND PRIVACY OF INFORMATION Bhagat Avinash Asst. Prof. Domain:D3 School of Computing Applications Lovely Professional University Email: [email protected] [email protected] 06/06/22
58

11002_lec 01-04 (1)

Nov 02, 2014

Download

Documents

Prashant Jha

software process maturity
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 1

CAP361:

SECURITY AND PRIVACY OF INFORMATION

Bhagat Avinash

Asst. Prof.

Domain:D3

School of Computing Applications

Lovely Professional University

Email:

[email protected]

[email protected]/08/23

Page 2: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 2

The name cryptography comes from the Greek words 'kryptos' which means hidden and 'graphia' which means writing.

Cryptography is the art of creating and using cryptosystems. Or simply put, it is the art of secret writing."

04/08/23

Page 3: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 3

Defination• The protection afforded to an automated

information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources.

(includes hardware, software, firmware, information /data, and telecomm.)

04/08/23

Page 4: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 4

Course Overview • Course Objectives:1.Understand the importance of security and

privacy of information2.Understand the importance of protecting the

privacy and confidentiality of Data.

Page 5: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 5

Course OverviewText Books: Network Security Essentials Application and

Standards by William Stallings, Pearson Education Publications, 4th Edition (2012)References: Network Security Essentials (Applications and

Standards) by william stallings,Pearson Education, 1st Edition

04/08/23

Page 6: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 6

Course Overview In this age of universal electronic connectivity,

of viruses and hackers, electronic fraud there is indeed no time at which security does not matter.

04/08/23 CAP361

Page 7: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 7

Course Overview Two trends have come together to make the course :1. The explosive growth in computer systems and

their interconnections via networks has increased the dependence of both organizations and individual on the information stored and communicated using there systems. This in turn has led to a heightened awareness of the need to protect data and resources from disclosure.

04/08/23 CAP361

Page 8: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 8

Course Overview 2. The disciplines of cryptography and network

security have matured, leading to the development of practical, readily available applications to enforce network security.

04/08/23 CAP361

Page 9: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 9

Career Overview • If you have a good cryptography knowledge

associated with Information security concepts and implementation, You will get a good job within one month. and it is sure. There are a lots of software companies in bangalore, looking for good crypto professional.

04/08/23 CAP361

Page 10: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 10

Career Overview • Cryptologists before the 80s were primarily

depicted as spy agents involved in deciphering and configuring coded messages to gain momentum against enemy activities. However, with the upsurge of information technology and the increasing dependence on electronic data processing, the range of activities a cryptologist is involved in has expanded.

04/08/23 CAP361

Page 11: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 11

Career Overview • The vast digital data that is stored and processed

in large computer bases and transmitted through complex communication networks is susceptible to unauthorized interception and interpretation and hence, needs to be protected through encrypted remote access or passwords.

04/08/23 CAP361

Page 12: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 12

Career Overview • Cryptologists are in demand in the military

forces, government agencies, technology companies, banking and financial organizations, law enforcement agencies, universities and research institutes.

04/08/23 CAP361

Page 13: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 13

Chapter 1

Network Security Essentials

Fourth Editionby William Stallings

04/08/23

Page 14: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 14

The art of war teaches us to rely not on the likelihood of the enemy's not coming, but on our own readiness to receive him; not on the chance of his not attacking, but rather on the fact that we have made our position unassailable.

—The Art of War, Sun Tzu

04/08/23

Page 15: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 15

The combination of space, time, and strength that must be considered as the basic elements of this theory of defense makes this a fairly complicated matter. Consequently, it is not easy to find a fixed point of departure..

— On War, Carl Von Clausewitz

04/08/23

Page 16: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 16

Computer Security

NIST : National Institute of Standards and Technology.

ISOC : Internet society ITU-T : The international

telecommunication Union. ISO : International organization for

standardization.04/08/23

Page 17: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 17

Computer Security

The protection afforded to an automated information system in order to attain the applicable objectives of preserving the integrity, availability and confidentiality of information system resources (includes H/W , S/W, firmware, information / data, and telecommunications)

04/08/23

Page 18: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 18

CIA triod

04/08/23

Page 19: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 19

Computer Security

Integrity means guarding against improper information modification.

1. Data Integrity assures that information and programs are changed only in a specified and authorized manner.

2. System Integrity assures that a system performs its intended function in an unimpaired manner, free from deliberate unauthorized users04/08/23

Page 20: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 20

Computer Security

Confidentiality means protecting privacy.1. Data Confidentiality ensures that

private or confidential information is mot made available or disclosed to unauthorized individuals

2. Privacy assures that individual controls what related to them. By whom and to whom the information is to be disclosed.04/08/23

Page 21: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 21

Computer Security

Availability means ensuring timely and reliable access to and use of information. Assures that systems work promptly and service in not denied to authorized users

04/08/23

Page 22: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 22

Computer Security

Authenticity means the property of being genuine and being able to be verified and t rusted; confidence in validity of a

• transmission, • message • message originator

04/08/23

Page 23: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 23

Computer Security

Accountability means the security goal that generates the requirement for actions of an entity to be traced uniquely to that entity

04/08/23

Page 24: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 24

Levels of Impact

can define 3 levels of impact from a security breach•Low•Moderate•High

04/08/23

Page 25: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 25

Aspects of Security

3 aspects of information security: security attack security mechanism security service

04/08/23

Page 26: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 26

Aspects of SecuritySecurity attack: Any action that

compromises the security of information owned by an organization.

Security mechanism : A mechanism that is designed to detect, prevent or recover from a security attack.

Security Service is a service that enhances the security of the data processing systems and the information transfer of an organization.04/08/23

Page 27: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 27

Security Services Information security services are replicating the

types of functions normally associated with physical documents.

Most of the activities of mankind depends on use of documents.

Documents typically have signatures and dates; they may need to be protected from disclosure, tampering, they may be notorized, witnessed , may be recorded or licensed.

04/08/23

Page 28: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 28

Security Services Challenges to electronic documents 1. It is usually possible to discriminate between an

original paper document and a xerographic copy. However an electronic document is merely a sequence of bits and bytes.

2. An alternation to a paper document may leave some sort of physical evidence.

3. Any proof process associated with a physical document typically depends upon physical characteristics of the document.

04/08/23

Page 29: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 29

Security Services List of common Information Integrity functions:

04/08/23

Page 30: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 30

Security Service• enhance security of data processing systems and

information transfers of an organization• intended to counter security attacks• using one or more security mechanisms • often replicates functions normally associated with

physical documents• which, for example, have signatures, dates; need protection

from disclosure, tampering, or destruction; be notarized or witnessed; be recorded or licensed

04/08/23

Page 31: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 31

Security Services

X.800:“a service provided by a protocol layer of communicating open systems, which ensures adequate security of the systems or of data transfers”

RFC 2828:“a processing or communication service provided by a system to give a specific kind of protection to system resources”

04/08/23

Page 32: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 32

Security Services (X.800) Authentication – assurance that communicating entity is the

one claimed•have both peer-entity and data origin authentication

Access Control – prevention of the unauthorized use of a resource

Data Confidentiality –protection of data from unauthorized disclosure

Data Integrity – assurance that data received is as sent by an authorized entity

Non-Repudiation – protection against denial by one of the parties in a communication

Availability – resource accessible/usable04/08/23

Page 33: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 33

Security Mechanism feature designed to detect, prevent, or

recover from a security attack no single mechanism that will support all

services required however one particular element underlies

many of the security mechanisms in use:•cryptographic techniques

hence our focus on this topic

Page 34: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 34

Security Attacks Normal Flow Interruption Interception Modification Fabrication

04/08/23

Page 35: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 35

Security Attacks Normal Flow

04/08/23

SourceDestination

Page 36: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 36

Security Attacks Interruption : This is an attack on availability,

an asset of the system is destroyed or becomes unavailable.

04/08/23

Page 37: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 37

Security Attacks Interception: This is an attack on confidentiality

an unauthorized party gains access to an asset.

04/08/23

Page 38: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 38

Security Attacks Modification : This is an attack on integrity. An

unauthorized party not only gain access to but tampers with assests

04/08/23

Page 39: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 39

Security Attacks Fabrication : This is an attack on authenticity.

An unauthorized party inserts counterfeit objects into the system.

04/08/23

Page 40: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 40

Security AttacksClassification of Security Attacks: Passive are in the nature of eavesdropping on,

monitoring of, transmissions. Release of Message Traffic analysis

Active Masquerade Replay Modification of message contents Denial of service04/08/23

Page 41: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 41

Release of message contents

04/08/23

Page 42: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 42

Traffic analysis

04/08/23

Page 43: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 43

Security AttacksClassification of Security Attacks: Active attacks involve some modification of the

data stream or the creation of a false stream and can be subdivided into four categories Masquerade Replay Modification of message contents Denial of service

04/08/23

Page 44: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 44

Security Attacks Masquerade takes place when one entity

pretends to be a different entity.

04/08/23

Page 45: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 45

Masquerade

04/08/23

Page 46: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 46

Security Attacks Replay involves the passive capture of a data

unit and its subsequent retransmission to produce an unauthorized effect.

04/08/23

Page 47: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 47

Replay

04/08/23

Page 48: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 48

Security Attacks Modification of message simply means that

some portion of a legitimate message is altered, or that messages are delayed or recorded to produce and unauthorized effect.

04/08/23

Page 49: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 49

Modification of message

04/08/23

Page 50: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 50

Security Attacks Denial of service prevents or inhibits the

normal use or management of communication facilities.

04/08/23

Page 51: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 51

Denial of service

04/08/23

Page 52: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 52

Model for Network Security

Page 53: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 53

Model for Network Security

All the techniques for providing security have two basic components:

1. Security related transformation on the information to be sent.

2. Some secret information shared by the two principals.

Page 54: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 54

Model for Network Security

Four basic tasks in designing a particular security service:

1. design a suitable algorithm for the security transformation

2. generate the secret information (keys) used by the algorithm

3. develop methods to distribute and share the secret information

4. specify a protocol enabling the principals to use the transformation and secret information for a security service

Page 55: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 55

Model for Network Access Security

Page 56: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 56

Model for Network Access Security

using this model requires us to: 1. select appropriate gatekeeper functions to

identify users 2. implement security controls to ensure only

authorised users access designated information or resources

Page 57: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 57

Questions1. Define computer security ----2 marks2. What are three objectives of computer security?

Or what is CIA triad 2marks3. How are security services classified?4. Explain the model basic model for network

security.5. What are four basic tasks in designing a particular

security service.

Page 58: 11002_lec 01-04 (1)

Cop

yri

gh

t© D

orl

ing

Kin

ders

ley In

dia

Pvt

Ltd

Introduction 58

Summarytopic roadmap and standards organizationssecurity concepts:• confidentiality, integrity, availability

X.800 security architecturesecurity attacks, services, mechanismsmodels for network (access) security